Security at Satchel
You’re trusting us with clinician credential records and compliance workflow data. This page describes the controls currently available and the safeguards we confirm before handling sensitive documents.
Encrypted transport
Application traffic is transmitted over encrypted HTTPS connections. Before a pilot involving sensitive documents, we confirm the storage and retention approach for that deployment.
Least-privilege access
Access to customer data is restricted to the personnel who need it to deliver the service, with role-based controls.
Decision history
Uploads, manual verification events, record edits, and staffing actions are timestamped to help your team explain what happened and when.
HIPAA scope & safeguards
HIPAA applicability depends on the customer relationship and the data involved. If Satchel will create, receive, maintain, or transmit PHI as a business associate, the required BAA and applicable safeguards must be in place before that PHI is processed.
Pilot-ready controls
Tenant isolation, role-based permissions, signed sessions, and authentication rate limits are built into the application. Enterprise requirements are scoped before rollout.
Responsible disclosure
Found a vulnerability? Email hello@satchelhub.com and we will respond promptly. We appreciate coordinated disclosure.
Security requirements, reviewed together
We’ll review your security, data-handling, and vendor requirements before rollout so the deployment scope is clear for both teams.